What does CISO do?


The role of CISO today is often associated primarily with the protection of IT-specific assets, but in fact, information that is important (sensitive) to a company may not only be in digital form. Therefore, CISO is responsible for ensuring that effective safeguards are in place to protect corporate information in any form, whether it is digital, paper-based or verbal.

Here are some of the activities that CISO does on a daily basis:

  • designing, documenting, implementing and updating information security procedures and policies
  • advising the company’s management on information security (and highlighting any issues)
  • overseeing the work of IT professionals and other security specialists (in terms of availability, integrity and confidentiality of information)
  • educating employees about the company’s security rules and best practices on information security
  • organising procurements for vulnerability assessment and penetration testing
  • ensuring implementation of ISO/IEC 27001 and other information security standards
  • managing and coordinating security incidents
  • developing and updating a patch management plan (including for security patches)
  • being responsible for the aspects of physical security (or cooperating with the security manager if there is one)

What is CISOaaS?

CISO is a top specialist, and the ability to perform the tasks of this position requires extensive knowledge in (information) technology, as well as experience in managing people and processes. Finding suitable people for this position is extremely difficult in today’s highly competitive job market.

Due to the fact that technologies are in a constant state of change and renewal, CISO must keep up to date with the latest developments in information security – which is why, as a rule, maintaining CISO’s competence also requires considerable resources. This is where KPMG’s CISO-as-a-Service (CISOaaS) comes to the aid of companies, enabling them to gain CISO competence without having to search for a corresponding specialist in the labour market, hire them and maintain their competence.

1. The service is delivered by KPMG’s top specialists
with experience in engagements confirming their CISO competence and holding internationally recognised professional certifications such as CISA, CISM, CISSP, CRISC, CGEIT, ISO 27001 Lead Auditor, GSEC.

2. KPMG CISOaaS is not delivered by just one KPMG expert –
we offer the client an entire team with diverse experience. Our team members have the competences of chief information security officer, IT system administrator and security expert, and experience in penetration testing of networks and web applications, digital forensics, secure code review, etc.


Provide a safe and sustainable business environment for your company. We help build a resilient and reliable digital landscape, even in the face of changing threats.

KPMG Baltics OÜ

+372 626 8700
cyber@kpmg.ee
Ahtri 4, 10151 Tallinn, Estonia
${item.title}
KPMG Baltics KPMG Global Privaatsuspoliitika
KPMG IT Audit
Email again:

Analysis of employee awareness

Analysis of employee awareness focuses on mapping the skills and increasing the competencies of the weakest link in cyber security: the users, the employees.

Email again:

Threat assessment

Threat assessment is a tactical and technical service that allows a company to get a quick overview of external threats.

Email again:

Maturity assessment

Maturity assessment helps plan IT investments and design further steps to mitigate vulnerabilities and ensure better security.

Email again: